enterprise-support team mailing list archive

Thread
Date
[Bug 2009259] [NEW] ldap_do_free_request: Assertion `lr->lr_refcnt == 1'

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: AZ <2009259@xxxxxxxxxxxxxxxxxx>
Date: Sat, 04 Mar 2023 12:04:29 -0000
Reply-to: Bug 2009259 <2009259@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

Using apache2 authnz_ldap against Active Directory with require ldap-
group (after auth_kerb authentication) crashes apache2 when serving any
request with:

[Thu Mar 02 16:43:21.251455 2023] [mpm_prefork:notice] [pid 3809200] AH00163: Apache/2.4.52 (Ubuntu) mod_auth_kerb/5.4 OpenSSL/3.0.2 configured -- resuming normal operations
[Thu Mar 02 16:43:21.251503 2023] [core:notice] [pid 3809200] AH00094: Command line: '/usr/sbin/apache2'
apache2: ../../../../libraries/libldap/request.c:970: ldap_do_free_request: Assertion `lr->lr_refcnt == 1' failed.

This only happens with search base = ad root dsn and seems related to
the extra search response items like the following to the user lookup
query (traced with tshark), which are only returned when search base =
ad root dsn.

Lightweight Directory Access Protocol
    LDAPMessage searchResRef(2)
        messageID: 2
        protocolOp: searchResRef (19)
            searchResRef: 1 item
                LDAPURL: ldap://DomainDnsZones.example.org/DC=DomainDnsZones,DC=example,DC=org
        [Response To: 8]
        [Time: 0.043273000 seconds]

Likely a bug related to openldap, so these are the ldap libs installed:
ii  libldap-2.5-0:amd64    2.5.13+dfsg-0ubuntu0.22.04.1 amd64        OpenLDAP libraries
ii  libldap-common         2.5.13+dfsg-0ubuntu0.22.04.1 all          OpenLDAP common files for libraries

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: apache2 2.4.52-1ubuntu4.3
ProcVersionSignature: Ubuntu 5.19.0-32.33~22.04.1-generic 5.19.17
Uname: Linux 5.19.0-32-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.3
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: LXQt
Date: Sat Mar  4 12:57:47 2023
SourcePackage: apache2
UpgradeStatus: Upgraded to jammy on 2022-07-09 (238 days ago)

** Affects: apache2 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug jammy

** Description changed:

  Using apache2 authnz_ldap against Active Directory with ldap-group
- crashes apache2 when serving any request with:
+ (after auth_kerb authentication) crashes apache2 when serving any
+ request with:
  
  [Thu Mar 02 16:43:21.251455 2023] [mpm_prefork:notice] [pid 3809200] AH00163: Apache/2.4.52 (Ubuntu) mod_auth_kerb/5.4 OpenSSL/3.0.2 configured -- resuming normal operations
  [Thu Mar 02 16:43:21.251503 2023] [core:notice] [pid 3809200] AH00094: Command line: '/usr/sbin/apache2'
  apache2: ../../../../libraries/libldap/request.c:970: ldap_do_free_request: Assertion `lr->lr_refcnt == 1' failed.
  
  This only happens with search base = ad root dsn and seems related to
  the following extra search response items to the user lookup query
  (traced with tshark), which are only returned when search base = ad root
  dsn.
  
  Lightweight Directory Access Protocol
      LDAPMessage searchResRef(2)
          messageID: 2
          protocolOp: searchResRef (19)
              searchResRef: 1 item
                  LDAPURL: ldap://DomainDnsZones.example.org/DC=DomainDnsZones,DC=example,DC=org
          [Response To: 8]
          [Time: 0.043273000 seconds]
  
  Likely a bug related to openldap, so these are the ldap libs installed:
  ii  libldap-2.5-0:amd64    2.5.13+dfsg-0ubuntu0.22.04.1 amd64        OpenLDAP libraries
  ii  libldap-common         2.5.13+dfsg-0ubuntu0.22.04.1 all          OpenLDAP common files for libraries
  
  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: apache2 2.4.52-1ubuntu4.3
  ProcVersionSignature: Ubuntu 5.19.0-32.33~22.04.1-generic 5.19.17
  Uname: Linux 5.19.0-32-generic x86_64
  Apache2ConfdDirListing: False
  Apache2Modules:
   AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
   httpd (pid 4107) already running
  ApportVersion: 2.20.11-0ubuntu82.3
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: LXQt
  Date: Sat Mar  4 12:57:47 2023
  SourcePackage: apache2
  UpgradeStatus: Upgraded to jammy on 2022-07-09 (238 days ago)
  error.log: Error: [Errno 13] Keine Berechtigung: '/var/log/apache2/error.log'

** Description changed:

- Using apache2 authnz_ldap against Active Directory with ldap-group
- (after auth_kerb authentication) crashes apache2 when serving any
+ Using apache2 authnz_ldap against Active Directory with require ldap-
+ group (after auth_kerb authentication) crashes apache2 when serving any
  request with:
  
  [Thu Mar 02 16:43:21.251455 2023] [mpm_prefork:notice] [pid 3809200] AH00163: Apache/2.4.52 (Ubuntu) mod_auth_kerb/5.4 OpenSSL/3.0.2 configured -- resuming normal operations
  [Thu Mar 02 16:43:21.251503 2023] [core:notice] [pid 3809200] AH00094: Command line: '/usr/sbin/apache2'
  apache2: ../../../../libraries/libldap/request.c:970: ldap_do_free_request: Assertion `lr->lr_refcnt == 1' failed.
  
  This only happens with search base = ad root dsn and seems related to
  the following extra search response items to the user lookup query
  (traced with tshark), which are only returned when search base = ad root
  dsn.
  
  Lightweight Directory Access Protocol
      LDAPMessage searchResRef(2)
          messageID: 2
          protocolOp: searchResRef (19)
              searchResRef: 1 item
                  LDAPURL: ldap://DomainDnsZones.example.org/DC=DomainDnsZones,DC=example,DC=org
          [Response To: 8]
          [Time: 0.043273000 seconds]
  
  Likely a bug related to openldap, so these are the ldap libs installed:
  ii  libldap-2.5-0:amd64    2.5.13+dfsg-0ubuntu0.22.04.1 amd64        OpenLDAP libraries
  ii  libldap-common         2.5.13+dfsg-0ubuntu0.22.04.1 all          OpenLDAP common files for libraries
  
  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: apache2 2.4.52-1ubuntu4.3
  ProcVersionSignature: Ubuntu 5.19.0-32.33~22.04.1-generic 5.19.17
  Uname: Linux 5.19.0-32-generic x86_64
  Apache2ConfdDirListing: False
  Apache2Modules:
   AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
   httpd (pid 4107) already running
  ApportVersion: 2.20.11-0ubuntu82.3
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: LXQt
  Date: Sat Mar  4 12:57:47 2023
  SourcePackage: apache2
  UpgradeStatus: Upgraded to jammy on 2022-07-09 (238 days ago)
  error.log: Error: [Errno 13] Keine Berechtigung: '/var/log/apache2/error.log'

** Description changed:

  Using apache2 authnz_ldap against Active Directory with require ldap-
  group (after auth_kerb authentication) crashes apache2 when serving any
  request with:
  
  [Thu Mar 02 16:43:21.251455 2023] [mpm_prefork:notice] [pid 3809200] AH00163: Apache/2.4.52 (Ubuntu) mod_auth_kerb/5.4 OpenSSL/3.0.2 configured -- resuming normal operations
  [Thu Mar 02 16:43:21.251503 2023] [core:notice] [pid 3809200] AH00094: Command line: '/usr/sbin/apache2'
  apache2: ../../../../libraries/libldap/request.c:970: ldap_do_free_request: Assertion `lr->lr_refcnt == 1' failed.
  
  This only happens with search base = ad root dsn and seems related to
- the following extra search response items to the user lookup query
- (traced with tshark), which are only returned when search base = ad root
- dsn.
+ the extra search response items like the following to the user lookup
+ query (traced with tshark), which are only returned when search base =
+ ad root dsn.
  
  Lightweight Directory Access Protocol
      LDAPMessage searchResRef(2)
          messageID: 2
          protocolOp: searchResRef (19)
              searchResRef: 1 item
                  LDAPURL: ldap://DomainDnsZones.example.org/DC=DomainDnsZones,DC=example,DC=org
          [Response To: 8]
          [Time: 0.043273000 seconds]
  
  Likely a bug related to openldap, so these are the ldap libs installed:
  ii  libldap-2.5-0:amd64    2.5.13+dfsg-0ubuntu0.22.04.1 amd64        OpenLDAP libraries
  ii  libldap-common         2.5.13+dfsg-0ubuntu0.22.04.1 all          OpenLDAP common files for libraries
  
  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: apache2 2.4.52-1ubuntu4.3
  ProcVersionSignature: Ubuntu 5.19.0-32.33~22.04.1-generic 5.19.17
  Uname: Linux 5.19.0-32-generic x86_64
  Apache2ConfdDirListing: False
  Apache2Modules:
   AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
   httpd (pid 4107) already running
  ApportVersion: 2.20.11-0ubuntu82.3
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: LXQt
  Date: Sat Mar  4 12:57:47 2023
  SourcePackage: apache2
  UpgradeStatus: Upgraded to jammy on 2022-07-09 (238 days ago)
  error.log: Error: [Errno 13] Keine Berechtigung: '/var/log/apache2/error.log'

** Description changed:

  Using apache2 authnz_ldap against Active Directory with require ldap-
  group (after auth_kerb authentication) crashes apache2 when serving any
  request with:
  
  [Thu Mar 02 16:43:21.251455 2023] [mpm_prefork:notice] [pid 3809200] AH00163: Apache/2.4.52 (Ubuntu) mod_auth_kerb/5.4 OpenSSL/3.0.2 configured -- resuming normal operations
  [Thu Mar 02 16:43:21.251503 2023] [core:notice] [pid 3809200] AH00094: Command line: '/usr/sbin/apache2'
  apache2: ../../../../libraries/libldap/request.c:970: ldap_do_free_request: Assertion `lr->lr_refcnt == 1' failed.
  
  This only happens with search base = ad root dsn and seems related to
  the extra search response items like the following to the user lookup
  query (traced with tshark), which are only returned when search base =
  ad root dsn.
  
  Lightweight Directory Access Protocol
      LDAPMessage searchResRef(2)
          messageID: 2
          protocolOp: searchResRef (19)
              searchResRef: 1 item
                  LDAPURL: ldap://DomainDnsZones.example.org/DC=DomainDnsZones,DC=example,DC=org
          [Response To: 8]
          [Time: 0.043273000 seconds]
  
  Likely a bug related to openldap, so these are the ldap libs installed:
  ii  libldap-2.5-0:amd64    2.5.13+dfsg-0ubuntu0.22.04.1 amd64        OpenLDAP libraries
  ii  libldap-common         2.5.13+dfsg-0ubuntu0.22.04.1 all          OpenLDAP common files for libraries
  
  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: apache2 2.4.52-1ubuntu4.3
  ProcVersionSignature: Ubuntu 5.19.0-32.33~22.04.1-generic 5.19.17
  Uname: Linux 5.19.0-32-generic x86_64
- Apache2ConfdDirListing: False
- Apache2Modules:
-  AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
-  httpd (pid 4107) already running
  ApportVersion: 2.20.11-0ubuntu82.3
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: LXQt
  Date: Sat Mar  4 12:57:47 2023
  SourcePackage: apache2
  UpgradeStatus: Upgraded to jammy on 2022-07-09 (238 days ago)
- error.log: Error: [Errno 13] Keine Berechtigung: '/var/log/apache2/error.log'

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/2009259

Title:
  ldap_do_free_request: Assertion `lr->lr_refcnt == 1'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2009259/+subscriptions
Follow ups

[Bug 2009259] Re: ldap_do_free_request: Assertion `lr->lr_refcnt == 1'
From: Launchpad Bug Tracker, 2023-11-05